Software Integrity

U.S. to re-negotiate Wassenaar Arrangement

After six months of feedback from the US security community, the United States said on Tuesday it would re-negotiate the Wassenaar Agreement, particularly the part covering hacking and surveillance—cybersecurity. In a letter from the National Security Council’s Senior Director for Legislative Affairs, Caroline Tess, made public by the White House on Tuesday to the Associated Press, said “keeping these technologies from illegitimate actors must not come at the expense of legitimate cybersecurity activities.”

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies dates back to 1996. The purpose was to promote regional and international security. It would do so by promoting transparency and greater responsibility on member states in transfers of conventional arms and dual-use goods and technologies. Support for the multilateral export control regime (MECR) include 41 participating states, including many former COMECON (Warsaw Pact) nations. They include Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Kingdom and the United States.

Interestingly, China and Israel, major arms exporters, are not members, but do have complementary export controls.

As part of the 2013 agreement the United States would restrict the export of tools related to cyber “intrusion software,” particularly those that could fall into the hands of repressive regimes. However, members of the US security research community were caught off guard by the signed updated agreement. They only found out about all the restrictions last summer when the government solicited feedback on how to implement updated agreement. The feedback was mostly negative and most of the 300 comments from cybersecurity professionals stated that the agreement would actually weaken cybersecurity.

One draft proposed by the Department of Commerce’s Bureau of Industry and Security would have denied the transfer of offensive tools. Offensive tools attack, and in the world of pen testing, is one of the ways in which researchers can probe the weaknesses and therefore shore up the security of a product.

Under the rule, to transfer of cybersecurity technology to non-US countries would require an export license. Many US security companies operate in multiple countries and test their own corporate networks which span international lines. So if a company conducted cybersecurity research in the US and Finland, it would have to get an export license. The US export license is free, but it could take up to three weeks to issue. If the rule were fully implemented, the numbers of companies requesting export licenses for their given products would swamp the office with requests.